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Abstract. We focus on the realizability problem of Message Sequence 
Graphs (MSG), i.e. the problem whether a given MSG specification is 
correctly distributable among parallel components communicating via 
messages. This fundamental problem of MSG is known to be undecid- 
able. We introduce a well motivated restricted class of MSG, so called 
controllable-choice MSG, and show that all its models are realizable and 
moreover it is decidable whether a given MSG model is a member of this 
class. In more detail, this class of MSG specifications admits a deadlock- 
free realization by overloading existing messages with additional bounded 
control data. We also show that the presented class is the largest known 
subclass of MSG that allows for deadlock-free realization. 

1 Introduction 

Message Sequence Chart (MSC) [15] is a popular formalism for specification of 
distributed systems behaviors (e.g. communication protocols or multi-process 
systems). Its simplicity and intuitiveness come from the fact that an MSC de- 
scribes only exchange of messages between system components, while other as- 
pects of the system (e.g. content of the messages and internal computation steps) 
are abstracted away. The formalism consists of two types of charts: (1) basic Mes- 
sage Sequence Charts (bMSC) that are suitable for designing finite communica- 
tion patterns and (2) High-level Message Sequence Charts (HMSC) combining 
bMSC patterns into more complex designs. In this paper, we focus on the fur- 
ther type reformulated as Message Sequence Graphs (MSG) that has the same 
expressive power as HMSC but a simpler structure, and hence it is often used 
in theoretical computer science papers, see, e.g. [2|4|6|13|22] . 

Even such incomplete models as MSG can indicate serious errors in the de- 
signed system. The errors can cause problems during implementation or even 
make it impossible. Concerning verification of MSC models, researchers have 
studied a presence of a race condition in an MSC [317110122] . boundedness of 
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the message channels [4], the possibility to reach a non-local branching node 
[6 19 I13I16I17I11I20) . deadlocks, livelocks, and many more. For a recent overview 
of current results see, e.g. [5]. 

In this paper, we focus on the realizability problem of MSG specifications, 
i.e. implementation of the specification among parallel machines communicating 
via messages. This problem has been studied in various settings reflecting pa- 
rameters of the parallel machines, the environment providing message exchanges 
as well as the type of equivalence considered between the MSG specification and 
its implementation. Some authors restricted the communication to synchronous 
handshake [13112] , needed several initial states in the synthesized machines [5] , or 
considered language equivalence with global accepting states in the implementa- 
tion (the implementation accepts if the components are in specific combinations 
of its states) [5T] . From our point of view, the crucial aspect is the attitude to 
non-accepted executions of the implementation. When language equivalence is 
taken into account, an intentional deadlock can prevent a badly evolving exe- 
cution from being accepted [13]. In our setting every partial execution can be 
extended into an accepting one. Therefore, we focus on a deadlock-free imple- 
mentation of a given MSG into Communicating Finite-State Machines (CFM) 
with FIFO communicating channels and distributed acceptance condition, i.e. a 
CFM accepts if each machine is in an accepting state. In [18] , it has been shown 
that existence of a CFM realizing a given MSG without deadlocks is undecid- 
able. When restricted to bounded MSG (aka regular MSG, i.e. communicating 
via finite/bounded channels, and so generating a regular language), the problem 
is EXPSPACE-complete Q3]. 

In later work 13 5J, a finite data extension of messages was considered when 
realizing MSG. This is a very natural concept because message labels in MSG 
are understood as message types abstracting away from the full message con- 
tent. Hence, during implementation, the message content can be refined with 
additional (finite) data that helps to control the computation of the CFM in or- 
der to achieve the communication sequences as specified in the given MSG. The 
main obstacle when realizing MSG are nodes with multiple outgoing edges — 
choice nodes. In a CFM realization, it is necessary to ensure that all Finite-State 
Machines choose the same successor of each choice node. This can be hard to 
achieve as the system is distributed. 

In [13], a class of so called local-choice MSG |17|6] was shown to include 
only MSG realizable in the above mentioned setting. Local-choice specifica- 
tions have the communication after each choice node initiated by a single pro- 
cess — the choice leader. Intuitively, whenever a local-choice node is reached, 
the choice leader machine attaches to all its outgoing messages the information 
about the chosen node. The other machines pass the information on. This con- 
struction is sufficient to obtain a deadlock-free realization, for details see [T3] . 
Another possible realization of local-choice MSG is presented in [IB]. Due to [IT] , 
it is also decidable to determine whether a given MSG is language equivalent 
to some local-choice MSG and, moreover, each equivalent MSG can be algorith- 
mically realized by a CFM. To the best of our knowledge, this is the largest 
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class of deadlock-free realizable specifications in the standard setting, i.e. with 
additional data, FIFO channels, and local accepting states. 

In this paper, we introduce a new class of controllable- choice MSG that ex- 
tends this large class of realizable MSG. The crucial idea of controllable-choice 
MSG is that even some non-local-choice nodes can be implemented, if the pro- 
cesses initiating the communication after the choice can agree on the successor 
node in advance. This is achieved by exchanging bounded additional content 
in existing messages. We call choice nodes where such an agreement is possible 
controllable-choice nodes, and show that the class of MSG with these nodes is 
more expressive than the class of MSG that are language equivalent to local- 
choice MSG. 

2 Preliminaries 

In this section, we introduce the Message Sequence Chart (MSC) formalism 
that was standardized by the International Telecommunications Union (ITU-T) 
as Recommendation Z.120 [15] . It is used to model interactions among parallel 
components in a distributed environment. First, we introduce the basic MSC. 

basic Message Sequence Charts (bMSC) Intuitively, a bMSC identifies 
a single finite execution of a message passing system. Processes are denoted as 
vertical lines — instances. Message exchange is represented by an arrow from 
the sending process to the receiving process. Every process identifies a sequence 
of actions — sends and receives — that are to be executed in the order from 
the top of the diagram. The communication among the instances is not syn- 
chronous and can take arbitrarily long time. 

Definition 1. A basic Message Sequence Chart (bMSC) M is defined by a tuple 
{E,<,V,T,P,M,l) where: 

— E is a finite set of events, 

— < is a partial ordering on E called visual order, 

— V is a finite set of processes, 

— T '■ E — » {send, receive} is a function dividing events into sends and receives, 

— P : E — > V is a mapping that associates each event with a process, 

— M : 7 -_1 (send) — > T -1 (receive) is a bijective mapping, relating every send 
with a unique receive, such that a process cannot send a message to itself, 
we refer to a pair of events (e,A4(e)) as a message, and 

— I is a function associating with every message (e, /) a label m from a finite 
set of message labels C, i.e. l{e, f) = m. 

Visual order < is defined as the reflexive and transitive closure of M. UlJ pe p < p 
where < p is a total order on P~ 1 {p). 

We require the bMSC to he first-in-first-out (FIFO), i.e., the visual order satisfies 
for all messages (e, /), (e', /') and processes p,p' the following condition 



e < p e' A P(f) = P(f') = p' => f< p , /'. 
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Every event of a bMSC can be represented by a letter from an alphabet 

£ = {p\q(m) | p, q E V, m 6 C} U {qlp(m) \ p,q £P , m 6 C}. 

Intuitively, p\q(m) denotes a send event of a message with a label m from a pro- 
cess p to a process q, and q?p(m) represents a receive event of a message with 
a label m by q from a process p. We define a linearization as a word over 
representing a total order of events that is consistent with the partial order <. 
For a given bMSC M, a language C(M) is the set of all linearizations of M. 

Message Sequence Graphs It turns out that specifying finite communica- 
tion patterns is not sufficient for modelling complex systems. Message Sequence 
Graphs allow us to combine bMSCs into more complex systems using alternation 
and iteration. An MSG is a directed graph with nodes labeled by bMSCs and 
two special nodes, the initial and the terminal node. Applying the concept of 
finite automata [H] , the graph represents a set of paths from the initial node to 
the terminal node. In MSG, every such a path identifies a sequence of bMSCs. 
As every finite sequence of bMSCs can be composed into a single bMSC, an 
MSG serves as a finite representation of an (infinite) set of bMSCs. 

Definition 2. A Message Sequence Graph (MSG) is defined by a tuple G = 
(S, t, Sq, St, L), where S is a finite set of states, r C S x S is an edge relation, 
so £ S is the initial state, Sf £ S is the terminal state, and L : S — > bMSC is 
a labeling function. 

W.l.o.g., we assume that there is no incoming edge to Sq and no outgoing 
edge from s/. Moreover, we assume that there are no nodes unreachable from 
the initial node and the terminal node is reachable from every node in the graph. 

Given an MSG G = (S,t,sq, Sf, L), a path is a finite sequence of states 
SxS 2 ■ ■ ■ Sk, where V 1 < i < k : (s^, s i+1 ) e r. A run is defined as a path with 
si = so and Sk — s/. 

Intuitively, two bMSCs can be composed to a single bMSC by appending 
events of every process from the latter bMSC at the end of the process from 
the precedent bMSC. Formally, the sequential composition of two bMSCs Mi = 
{E x , <i,7 ? ,Ti,Pi,7Wi,;i) and M 2 = (E 2 , < 2 , V, T 2 , P2, M 2 ,h) such that the 
sets Ex and E 2 are disjoint (we can always rename events so that the sets become 
disjoint), is the bMSC M x -M 2 = (ExL)E 2 , <,V,TxUT 2 ,PxUP 2 ,MxUM 2 ,hL>l 2 ), 
where < is a transitive closure of <i U < 2 U[J J)6T ,(Pf 1 (p) x P 2 ~ 1 (p)). Note that 
we consider the weak concatenation, i.e. the events from the latter bMSC may 
be executed even before some events from the precedent bMSC. 

Now, we extend the MSG labeling function L to paths. Let a = sxs 2 . . . s n 
be a path in MSG G, then L(a) = L(sx) ■ L(s 2 ) ■ L(s n ). For a given MSG G, 
the language C(G) is defined as 1J C(L(a)). Hence, two MSG are said 

a is a run in G 

to be language-equivalent if and only if they have the same languages. 
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Communicating Finite-State Machines A natural formalism for imple- 
menting bMSCs are Communicating Finite-State Machines (CFM) that are used 
for example in |3llll3j . The CFM consists of a finite number of finite-state ma- 
chines that communicate with each other by passing messages via unbounded 
FIFO channels. 

Definition 3. Given a finite set V of processes and a finite set of message 
labels C, the Communicating Finite-State Machine (CFM) A consists of Finite- 
State Machines (FSMs) (A p ) p ^p- Every A v is a tuple (S p , A p , — > p , s p , F p ), where: 

— S p is a finite set of states, 

— A p C {p\q(m) | q £ V, m £ C} U {p?q(m) | q £ V, m £ C} is a set of actions, 

— — > p C S p x Ap x Sp is a transition relation, 

— s p £ Sp is the initial state, and 

— F p C S p is a set of local accepting states. 

We associate an unbounded FIFO error-free channel B p ^ q with each pair of FSMs 
Ap,A q . In every configuration, the content of the channel is a finite word over 
the label alphabet C. 

Whenever an FSM A p wants to send a message with a label m £ C to A q , 
it enqueues the label m into channel B Piq . We denote this action by p\q(m). 
Provided there is a message with a label m in the head of channel B pq , the 
FSM A q can receive and dequeue the message with the label m. This action 
is represented by q?p(m). A configuration of a CFM A = (A p ) p ev is a tuple 
C = (s, B), where s £ U P er( S p) and B e (C*) VxP — local states of the FSMs 
together with the contents of the channels. Whenever there is a configuration 
transition d -4 Cj+i, there exists a process p £ V such that the FSM A p 
changes its local state by executing action £ A p and modifies the content of 
one of the channels. 

The CFM execution starts in an initial configuration s$ = Y[ P evi s p} w ith 
all the channels empty. The CFM is in an accepting configuration, if every FSM 
is in some of its final states and all the channels are empty. We will say that 
a configuration is a deadlock, if no accepting configuration is reachable from it. 
A CFM is deadlock-free if no deadlock configuration is reachable from the initial 
configuration. An accepting execution of a CFM A is a finite sequence of config- 
urations C\ ^ C 2 "3 . . . ""^ C n such that C\ is the initial configuration and C n 
is an accepting configuration. The word a\02 ■ • ■ a n —i is then an accepted word 
of A. Given a CFM A, the language C(A) is defined as the set of all accepted 
words of A. 

3 Controllable-choice Message Sequence Graphs 

For a given MSG we try to construct a CFM such that every execution specified 
in the MSG specification can be executed by the CFM and the CFM does not 
introduce any additional unspecified execution. 

Definition 4 An MSG G is realizable iff there exists a deadlock-free CFM 

A such that C(G) = C(A). 
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One of the most natural realizations are projections. A projection of a bMSC 
M on a process p, denoted by M\ p , is the sequence of events that are to be 
executed by the process p in M. For every process p £ V, we construct a FSM 
A p that accepts a single word M\ p . This construction is surprisingly powerful 
and models all of the bMSC linearizations. 

Proposition 1. Let M be a bMSC, then CFM A = (M\ p ) p€ -p is a realization, 
i.e. C(M) = C(A). 

It turns out that the main obstacle when realizing MSG are nodes with 
multiple outgoing edges — choice nodes. It is necessary to ensure that all FSMs 
choose the same run through the MSG graph. This can be hard to achieve as 
the system is distributed. 

In what follows, we present a known class of local-choice MSG specifications 
that admits a deadlock-free realization by adding control data into the messages. 
Then, we define a new class of controllable- choice MSG and compare the expres- 
sive power of the presented classes. 

Local-choice MSG is a class studied by many authors [6119113116117111] . Let 

M be a bMSC, we say that a process p £ V initiates the bMSC M if there exists 
an event e in M, such that P(e) = p and there is no other event e' in bMSC M 
such that e' < e. For a given MSG, every node s € S identifies a set triggers(s), 
the set of processes initiating the communication after the node s. Note that it 
may not be sufficient to check only the direct successor nodes in the MSG. 

Definition 5. Let G — (S,t, sq, s/, L) be an MSG. For a node s € S, the set 
triggers(s) contains process p if and only if there exists a path a = o\a-x . . . a n 
in G such that (s,ai) G r and p initiates bMSC L(cr). 

Definition 6. A choice node u is a local-choice node iff triggers(u) is a sin- 
gleton. An MSG specification G is local-choice iff every choice node of G is 
local-choice. 

Local-choice MSG specifications have the communication after every choice 
node initiated by a single process — the choice leader. In [13] a deadlock-free 
realization with additional data in messages is proposed. It is easy to see that ev- 
ery MSG specification G is deadlock-free realizable if there is a local-choice MSG 
G' such that C(G) — C(G'). Note that the equivalence can be algorithmically 
checked due to [IT] . 

Controllable specifications. The difficulties when realizing MSG are intro- 
duced by choice nodes. In local-choice MSG, the additional message content is 
used to ensure a single run through the graph is executed by all FSMs. In case 
of controllable-choice MSG, the additional content serves the same purpose but 
besides informing about the node the FSMs are currently executing the FSMs 
also attach a prediction about its future execution. 
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This allows us to relax the restriction on choice nodes and allows certain non- 
local choice nodes to be present in the specification. However, it is necessary to 
be able to resolve every occurrence of the choice node, i.e. make the decision in 
advance and inform all relevant processes. 

Definition 7. Let M = (E, <,V ,T, P, M,l) be a bMSC and P' C? be a subset 
of processes. A send event e G E is a resolving event for P' iff 

\/p G P' 3e p G P^ 1 (p) such that e < e p . 

Intuitively, resolving events of M for P' can distribute information to all 
processes of P' while executing the rest of M, provided that other processes are 
forwarding the information. 

Definition 8. Let G = (S , r, so, s / , L) be an MSG. A choice node u is said to 
be controllable-choice iff it satisfies both of the following conditions: 

— For every path a from Sq to u there exists a resolving event in bMSC L(o~) 
for triggers(u). 

— For every path a — s\Si ...u such that (u, s%) G r, there exists a resolving 
event in bMSC L(a) for triggers(u). 

Intuitively, a choice node is controllable-choice, if every path from the ini- 
tial node is labeled by a bMSC with a resolving event for all events initiat- 
ing the communication after branching. Moreover, as it is necessary to attach 
only bounded information, the same restriction is required to hold for all cy- 
cles containing a controllable-choice node. In [8] we propose an algorithm that 
determines whether a given choice node is a controllable-choice node. 

Definition 9. An MSG specification G is controllable-choice iff every choice 
node is either local-choice or controllable. 

Note that there is no bound on the distance between the resolving event and 
the choice node it is resolving. 

Local-choice vs. controllable-choice MSG. In the following, we show that 
the controllable-choice MSG are more expressive than local-choice MSG. It is 
easy to see that every local-choice MSG is also a controllable-choice MSG and 
that not every controllable-choice MSG is local-choice. In the following theorem, 
we strengthen the result by stating that the class of MSG that are language 
equivalent to some controllable-choice MSG is more expressive than the class of 
MSG that are language-equivalent to some local-choice MSG. 

Theorem 1. The class of MSG that are language-equivalent to some local- 
choice MSG, forms a proper subset of MSG that are language- equivalent to some 
controllable- choice MSG. 
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Proof. Consider a MSG G = (S,t, So, st, L) with three nodes So,s/ and s, such 
that (sqj s), (s, s), (s, s f) € r and the only non-empty bMSC is L(s) with two 
processes p, q. The projection of events onp is p\q(m),p7q(m / ) and similarly for g 
the projection is q\p(m'), q?p(m). Note that the only choice node s is controllable 
as both send events are resolving events for both of the processes. 

The MSG G violates a necessary condition to be language equivalent to a 
local-choice specification. Intuitively, the condition states that its language must 
be a subset of a language of a generic local-choice equivalent MSG (for more 
details see [TT]). 

4 Realizability of Controllable-choice MSG 

In this section we present an algorithm for realization of controllable-choice MSG. 
The class of local-choice specifications admits a natural deadlock-free realization 
because every branching is controlled by a single process. 

As the triggers set for controllable-choice nodes can contain multiple pro- 
cesses, we need to ensure that all of them reach a consensus about which branch 
to choose. To achieve this goal, we allow the FSMs in certain situations to add 
a behavior prediction into its outgoing messages. Those predictions are stored 
in the finite-state control units and are forwarded within the existing communi- 
cation to other FSMs. 

The length of the prediction should be bounded, as we can attach only 
bounded information to the messages and we need to store it in the finite-state 
control unit. Therefore, it may be necessary to generate the behavior predictions 
multiple times. As the realization should be deadlock-free, we must ensure that 
the predictions are not conflicting — generated concurrently by different FSMs. 
To solve this we sometimes send together with the prediction also an event where 
the next prediction should be generated. 

Definition 10. A prediction for an MSG G — (S, r, s ,Sf, L) is a pair (a, e) 6 
S* x (EUl.), where E is the set of all events of bMSCs assigned by L, the path a 
is called a prediction path, and e, called a control event, is an event from L{o~). 
A prediction path must satisfy one of the following conditions: 

— The prediction path a is the longest common prefix of all MSG runs. This 
special initial prediction path is named initial Path. 

— The prediction path a is the shortest path a — a\0~2 ■ ■ ■ o~ n in G satisfying 

1. o n G C, or 

2. a n £U A 3 1 < i < n : Oi — a n , or 

3. a n = Sf, 

where C C S is the set of all local-choice nodes and U C S is the set of all 
controllable- choice nodes. 

We refer to the first node and to the last node of a prediction path a by 
firstNode{a) and lastNode(a), respectively. 

Lemma 1. // the prediction path a ends with a controllable- choice node u, 
the bMSC L(a) contains a resolving event for triggers(u) on L(a). 
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Proof. There are two cases to consider 

— If a = initialPath, then firstNode(a) — sq and as node u is controllable- 
choice, the path a contains a resolving event for triggers(u). 

— Otherwise, the controllable-choice node u occurs twice in the path a. As 
every cycle containing a controllable-choice node has to contain a resolving 
event for the node, there is a resolving event for triggers(u) on path a. 

As there are no outgoing edges allowed in St, the terminal node Sf (jL IA. □ 

Note, that the number of events in a given MSG is finite and the length of 
each prediction path is bounded by 2 • |<S|. 

When the CFM execution starts, every FSM is initialized with an initial 
prediction — (initialPath, e{) — and starts to execute the appropriate projec- 
tion of L(initialPath). The value of depends on the initialPath. Let lastN- 
ode(initialPath) = a n . In case of a n £ U, the event e, is an arbitrary resolving 
event from L(initialPath) for triggers (o~ n ). It follows from Lemma [T] that there 
exists such an event. If er„ G C U {s/}, we set ej = ±. 

Every FSM stores two predictions, one that is being currently executed and 
a future prediction that is to be executed after the current one. Depending on 
the lastNode of the current prediction, there are the following possibilities where 
to generate the future prediction. 

— If lastNode of the current prediction is in C, the future prediction is generated 
by the local-choice leader, while executing the first event after branching. 

— If lastNode of the current prediction is in U, the future prediction is generated 
by an FSM that executes the control event of the current prediction, while 
executing the resolving event. 

— If the lastNode of the current prediction is s/ , no further execution is possible 
and so no new prediction is generated. 

When an FSM generates a new prediction, we require that there exists a tran- 
sition in the MSG from the last node of the current prediction path to the first 
node of the future prediction path, as the concatenation of prediction paths 
should result in a path in the MSG. If an FSM generates a future prediction 
ending with a controllable-choice node u, it chooses an arbitrary resolving event 
for triggers (u) to be the resolving event in the prediction. The existence of such 
an event follows from Lemma [U To ensure that other FSMs are informed about 
the decisions, both predictions are attached to every outgoing message. The 
computation ends when no FSM is allowed to generate any future behavior. 

4.1 Algorithm 

In this section, we describe the realization algorithm. All the FSMs execute 
the same algorithm, an implementation of the FSM A p is described in Algo- 
rithm [T] We use an auxiliary function path that returns a prediction path for 
a given prediction. Every FSM stores a queue of events that it should execute 

— eventQueue. The queue is filled with projections of bMSCs labeling projec- 
tion paths — ^(prediction path)| p for FSM A v . The execution starts with filling 
the queue with the projection of the initialPath. 
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Algorithm 1 Process p implementation 
1: Variables: currentPrediction, nextPrediction, eventQueue; 
2: currentPrediction <— (initialPath,ei); 
3: nextPrediction <s— _L; 
4: eventQueue 4—push(L(initialPath)\ p ); 
5: while true do 

6: if eventQueue is empty then 
7: getNextNodeQ; 
8: e -h- pop(eventQueue); 
9: if e is a send event then 

10: if e is the resolving event in currentPrediction then 

11: node <s— \astNode(path(currentPrediction)); 

12: nextPrediction ^— guessPrediction(node); 

13: send(e, currentPrediction, nextPrediction) ; 

14: if e is a receive event then 

15: receive(e, cP, nP); 

16: if nextPrediction = _L then 

17: nextPrediction <— nP; 



Function 2 getNextNode function for process p 
1: Function getNextNode() 

2: node <s— lastNode(path(cwreniPrediciion)); 
3: if node € U A p £ triggers(node) then 
4: currentPrediction 4— nextPrediction; 
5: nextPrediction <s— _L; 

6: eventQueue ■^push(L(path(currentPrediction))\ p ); 

7: else if node £ C Ap £ triggers(node) then 

8: currentPrediction <— guessPrediction(node); 

9: nextPrediction <— _L 

10: eventQueue <— push(L(path(cwreniPrediction))| p ); 
11: else 

12: currentPrediction ^— _L; 
13: nextPrediction _L; 
14: pollingO; 
15: end function 



Function 3 Polling function for process p 
1: Function polling() 
while true do 

if p has a message in some of its input buffers then 
receive(e, cP, nP); 
currentPrediction <s— cP; 
nextPrediction 4— nP; 

eventQueue 4— push(Z(path(cwrrentPrediction))| p ); 
pop(e«eniQttette) ; 
return; 
end function 
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The FSM executes a sequence of events according to its eventQueue. In order 
to exchange information with other FSMs, it adds its knowledge of predictions to 
every outgoing message, and improves its own predictions by receiving messages 
from other FSMs. 

When the FSM executes a control event of the current prediction, it is re- 
sponsible for generating the next prediction. The function guessPrediction(u) 
behaves as described in the previous section. It chooses a prediction (a, e), such 
that (u, firstNode(a)) € t. If lastNode(cr) £ 14, then e is a chosen resolving event 
in bMSC L(a) for the triggers set of the lastNode(a). Otherwise, we leave e = _L. 

If the eventQueue is empty, the FSM runs the getNextNode function to 
determine the continuation of the execution. If the lastNode of the current pre- 
diction is a controllable-choice node and p is in the triggers set of this node, it 
uses the prediction from its variable next Prediction as its currentPrediction. 
The variable next Prediction is set to _L. 

If the lastNode of the currentPrediction is a local-choice node and p is 
the leader of the choice, it guesses the prediction and assigns it to the appropriate 
variables. Otherwise, the FSM forgets its predictions and enters a special polling 
state. This state is represented by the Polling function. Whenever the FSM 
receives a message, it sets its predictions according to the message. The pop 
function on line 8 ensures the consistency of the eventQueue. 

An execution is finished successfully if all the FSMs are in the polling state 
and all the buffers are empty. The correctness proof of the following theorem is 
attached in the Appendix [A] 

Theorem 2. LetG be a controllable-choice MSG. Then the CFM A constructed 
by AlgorithmUjis a deadlock-free realization i.e. C(G) = C(A). 



5 Conclusion 

In this work we studied the message sequence graph realizability problem, i.e., 
the possibility to make an efficient and correct distributed implementation of 
the specified system. In general, the problem of determining whether a given 
specification is realizable is undecidable. Therefore, restricted classes of realizable 
specifications are in a great interest of software designers. 

In recent years, a promissing research direction is to study deadlock-free 
realizability allowing to attach bounded control data into existing messages. This 
concept turns out to be possible to realize reasonable specifications that are not 
realizable in the very original setting. In this work we introduced a new class of 
so called controllable-choice message sequence graphs that admits a deadlock- 
free realization with additional control data in messages. In other words, we have 
sucesfully extended the class of MSG conforming in the established setting of 
realizability. Moreover, we have presented an algorithm producing realization for 
a given controllable-choice message sequence graphs. 
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A Correctness 

Definition 11 ([]]). A word w € S* is well-formed iff for every prefix v of w, 
every receive event in v has a matching send in v. A word w € S* is complete 
iff every send event in w has a matching receive event in w. 

Lemma 2. Let A be a CFM and w € C(A), then there exists a bMSC M such 
that weC(M). 

Proof. Every w € C{A) is a well-formed and complete word. Using results from 
[T] a word w is a bMSC (potentially non-FIFO) linearization iff it is well- 
formed and complete. So there exists a potentially non-FIFO bMSC M, such 
that w e C(M). It remains to show, that the bMSC M satisfies the FIFO 
condition to fulfill our bMSC definition, but that follows directly from using 
FIFO buffers in the CFM. □ 

Next, we make a few observations of the algorithm execution. For a given 
controllable-choice MSG G we construct a CFM A = (A p ) P £-p according to 
Algorithm [T] 

Lemma 3. Let (o~,ei) be a prediction. FSM A p enters the polling function after 
executing L(a) iff 

p triggers(lastNode(cr)). 

Proof. It holds for every prediction path a that lastNode(a) G U U C U {sf}. 
Note that triggers{sf) = because no outgoing edge is allowed in the terminal 
state of an MSG. In case of p € triggers, then lastNode(a) E U U C and one of 
the two branches in Function [2] getNextNode is evaluated to true and polling 
function is skipped. □ 

It is not necessarily true that every FSM executes an event in every predic- 
tion. In fact multiple predictions can be executed by the CFM, while a particular 
FSM A p executes the polling function and is not aware of predictions executed 
by other FSMs. 

However, when a prediction path ends with a controllable-choice node, all 
the processes in the triggers set are active in the prediction. 

Lemma 4. Let (cr, ef) be a prediction, such that lastNode(cr) (E U, then 

p € triggers(lastNode(cr)) =>• L(a)\ p ^ 

Proof. Let lastNode(a) — u. According to Lemma [l] there exists a resolving 
event for triggers{u) in the bMSC L{o~). Hence, there exists an event on process 
p that is dependent on the resolving event, therefore L(a)\ p ^0. □ 

Another interesting observation is that it is possible to uniquely partition 
every MSG run into a sequence of prediction paths: 

Proposition 2. Every run a in G can be uniquely partitioned into a sequence 
of prediction paths such that a = initialPath W2 ■ ■ • W n . 
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The following theorem shows that in fact it is not possible to execute simul- 
taneously different predictions by different FSMs. 

Theorem 3. Let a = initialPath u>2 ■ ■ ■ w n such that every uii is a prediction 
path. Then every FSM A p for p £ triggers(lastNode(w n )) possesses the same 
future prediction {w n+ i,e n+ i), after executing the last event from L(a). 

Proof. We will prove the theorem by induction with respect to the length of 
path a (measured by the number of prediction paths): 

Base case Let the length of a be 1, then a = initialPath. We have to consider 
three options, depending on the type of the lastN ode{initial Path): 

— Let lastNode(initialPath) = s/, then triggers {initial Path) = and there 
is nothing to prove. 

— Let lastN ode(initialPath) £ C, then there exists a single leader process 
in the triggers set. The FSM representing the leader process may choose 
prediction (102,62)- 

— The last option is that lastN ode(initialPath) £ U. Then the resolving event 
Bi in the initial prediction is not equal to _L The FSM executing the event 
guesses the next prediction (102,62)- 

Let p £ trigger s(lastN ode(initialPath))) . In case the FSM A p is not guess- 
ing the prediction, we need to show that it receives the prediction in some 
of its incoming messages. As is a resolving event, there exists a dependent 
event on process p. Let us denote the minimal of such events e p . Then e p is 
a receive event and it is easy to see that the prediction (102, €2) is attached to 
the incoming message. Hence, for every p £ triggers(lastNode(initialPath))), 
FSM A p has its variable nextPrediction set to (u)2,e2)- 
It follows from Lemma [3] that for every p not in the triggers set, the FSM A p is 
in the polling state having its variable nextPrediction set to _L 

Induction step Let the length of a be n. As in the base case, we have to consider 
multiple options: 

— Let lastNode{w n ) £ {s/} UC, then the argument is the same as in the base 
case. 

— So let lastN ode{w n ) £ IA. From induction hypothesis, it follows that all 
FSMs A p for p £ triggers(w n -i), start to execute prediction path w n and all 
the others are in the polling state. 

Let p £ triggers(w n ). We show that FSM A p executes the projection L(w n )\ p . 
It follows from Lemma [4] that this projection is non-empty. We have already 
shown that this is true for FSMs Ap, such that p £ triggers(w n -i)- In case 
of p ^ triggers{w n ^i) 1 the FSM A p is in the polling state. As it is not in 
the triggers set, its first action is a receive event. It is easy to see that 
the incoming message already contains the current prediction (w n ,e n ) and 
FSM A p starts to execute L(w n )\ p . 

The rest of the proof is similar to the base case. During the execution of 
the resolving event e„ a new prediction (io n+ i,e„+i) is guessed and dis- 
tributed to all FSMs A p for p £ trigger s{w n ). 
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□ 

To show that Algorithm[T]is a deadlock-free realization of the class of control- 
lable-choice MSG we need to show that C(G) = £(A). We will divide the proof 
into two parts, first showing that C(G) C C{A) and finishing with C(A) C C(G). 

A.l C(G) C C(A) 

We show that for all w € £(G) also holds that w € £(.4). For every w £ £{G) 
there exists a run a in G such that w £ £(-L(cr)). 

We need to find a CFM execution, such that every FSM A p executes the pro- 
jection L(a)\ p and ends in a polling state with the CFM having all the channels 
empty. Then using PropositionJT] follows C(M) C C(A) and especially w £ C(A). 

According to Proposition [2] we can partition every run a uniquely into a se- 
quence of prediction paths — initial Path W2 ■ ■ ■ w n . This sequence is a natural 
candidate for prediction paths that should be guessed during the CFM execution. 

Every CFM execution starts with an initial prediction (initial Path, ej). The 

guessed future prediction paths are W2, w$ The guessing continues until 

the last prediction path w n is executed. As a is a run in MSG G, lastNode(w n ) = 
Sf. Therefore, triggers (lastN ode{w n )) — 0. It follows from Lemma [3] that all 
the FSMs are in the polling state. All the channels are empty because of the well- 
formedness and the completeness of the bMSC linearizations. 

A.2 C(A) C C{G) 

We show that for every w £ £{A) also w £ C(G). According to Lemma [2j every 
w € C(A) identifies a bMSC M. To conclude this part of the proof, we find a run 
a in G, such that M = L(a). As C(M) C C(G) we get w g C{G). 

The a run in G is defined inductively. Every FSM starts with executing 
the initialPath prediction path. So it is safe to start the run a with this predic- 
tion path. 

According to Theorem [3] whenever some prediction Wi is executed, all FSMs 
A p for p € triggers(l&siNode(wi)) agree on some future prediction tUi+i and all 
A p such that p executes an event in bMSC L(wi+i), execute the projections 
L(wi + i)\ p . All the other FSMs are in the polling state and arc awakened only if 
needed. 

The predictions are guessed in such a way that the following condition holds: 

(lastNode(wi), firstNode(wi + i)) € t 

So it is safe to append u>; + i at the end of a. Next we show that a ends with 
a terminal node. The CFM accepts when all the channels are empty and all 
the FSMs are in the polling state. Hence, the last prediction that was executed 
ended with a node with an empty triggers set. In general it is possible that this is 
may not be the terminal node, but every path from this node reaches s / without 
executing any event. So we can safely extend a with a path to a terminal node. 



